Gwenn CujdikClaims Manager, Cyber Incident Response, AXA XL
February 7, 2022
The best way to deal with cybersecurity breaches is to prevent them from happening. But there’s no place for complacency in cybersecurity, so no matter how strong a company thinks its safeguards are, it also needs a plan for responding swiftly, effectively, and credibly to the worst-case scenario.
That’s why AXA XL launched its North America Cyber Incident Response Team -- to help clients before, during and after cyber breaches. The team is headed by Gwenn E. Cujdik, who brings a unique perspective to her work as Manager of the North America Cyber Incident Response Team. An attorney, her background encompasses investigation, crisis management and litigation related to data privacy, cybersecurity, and regulation.
Prior to joining AXA XL, Gwenn was a Partner at Mullen Coughlin LLC, where she focused on data privacy and cybersecurity incident response and compliance. A former Assistant District Attorney in Philadelphia, she began her career prosecuting criminals. Now, her collective career experience is helping AXA XL address their clients’ need to respond quickly to cyber risks and criminals.
Here, Gwenn answers questions about the state of cybersecurity, how companies can best protect themselves and why a quick response is so important in helping to minimize potential losses.
GC: Recent events involving significantly high-profile ransomware matters have had a substantial impact on companies, and with that visibility has come greater understanding. As a result, companies are reaching out to get assistance in better securing their environment and managing the risk associated with these cyber events. By providing the support of established experts, this team gives clients cybersecurity guidance without requiring them to get fully up to speed in the field.
GC: Since the pandemic increased the number of people working at home, there’s been a greater blend of our personal and professional lives. Best practices keep business and personal devices separate. But in real life, people are mixing their use of both in a way that raises added cybersecurity concerns for companies, which now must ensure that every device that employees use to access work is protected — and that the company is protected from risks that may be posed by those devices.
The prevalence of remote work also raises the stakes on the human element in the cybersecurity equation. That’s why, in addition to securing devices, companies must step up their game on employee training to safeguard the company’s infrastructure, its data and its intellectual property against breaches enabled by human error.
GC: Our Cyber Incident Response Team is unique in that it’s taking a holistic approach to assisting our clients. From the time the insurance policy is issued, we look for what can we do to help achieve better security. We can offer recommendations, discuss pre-incident services, and talk through existing incident response plans. During those discussions, we may ask questions that help to expose areas of vulnerability that we, in partnership with our vendors, can work with clients to resolve.
In the event that an incident does occur, clients have a direct line to our team, either through me or through our hotline, and within minutes AXA XL will have a claim specialist working on the matter. We’ll have a team of specialists — from breach coaches to forensic investigators — on a call with our clients that same morning, afternoon, or evening to get a comprehensive response organized immediately. It’s essential for clients to have a high caliber of service at their disposal when, in a moment of panic, they may not have the calm or clarity necessary to consider their obligations under 50 different state laws, or international regulations, or to vet vendors and experts necessary to orchestrate an effective and credible response.
GC: We’ve built a team with significant breach management and response experience. My expertise stems from assisting as a Breach Coach (an attorney specializing in Cyber Incident Response and Data Privacy Laws) and as a Cyber Claims Specialist in hundreds of cyber events from the initial call that something is happening through remediation, restoration, and investigation to notification and follow-up from stakeholders, business partners, regulators, law enforcement, and impacted populations thereafter. Many of those incidents particularly in the last few years have been ransomware events. With ransomware, bad actors are locking up your systems and gaining access to information they can steal. The best protection is to secure systems and segregate important information so that if there is a breach, key information is not accessible. And that segregation needs to extend to backups. We want to make sure that our clients have a copy in a secure place so if someone gets into the system, they can’t access, delete or encrypt that backup. Of course, that requires companies to engage consistently in best practices in backup frequency and in maintaining adequate storage for that data.
We also encourage companies to assess and address the risks that could emerge if the credentials of key players with administrative rights are compromised. Companies should have business continuity/disaster recovery plans in place to ensure that critical systems and data restoration can occur as quickly and safely as possible and that there are workaround solutions in place to keep the company afloat during the restoration process. Incident response plans are also a key component to effectively responding to a ransomware event. These plans outline the response process, roles, and responsibilities of the internal response team, who to contact and when, incident response vendor information, company procedures and protocols in the event of a breach, and may include communication strategies, restoration and remediation strategies, and other critical information relating to a response.
GC: We advise our insureds to discuss external communications with a breach coach. This consult includes discussing communication with critical stakeholders, including customers, vendors, and other business partners in the event there is a spoof of company letterhead, emails, website or other elements of their identity. It is also important for the company to understand the full nature and extent of an event involving identity spoofing to help inform an appropriate response. For example, is this event occurring as a result of a cyber incident within the company, is it an issue involving a cyber event of a vendor, or is it the result of social engineering of publicly available information? There needs to be some level of investigation into the event to determine the who, what, when, where and how to develop the best and most appropriate communication strategies, which includes a determination as to whether any communications or public statements are appropriate.
GC: When a company is down, everyone has questions, from customers, employees and business partners to law enforcement agencies, regulators, and media. The breadth of the event determines the scale of its impact on external entities, including other companies or the supply chain, which may garner attention not only from impacted entities, but also media. Whatever its scope, it is essential for companies to have experts in their corner to help manage that.
Part of our service to our clients is leveraging our expertise in cyber incident response to work through these issues, and to connect our clients with best-in-class breach coaches and other vendors with vetted expertise in assisting with cyber security incident response. To best maintain a company’s reputational integrity and reduce risk, our team is positioned to move fast and to work collaboratively with our clients to put in place the highest level of services from the inception of an incident and throughout the life of that event so every aspect of the response and messaging surrounding the event is exceptional.
Our goal is to provide, in every matter, the best support and partnership to our clients so they can maintain their hard-earned reputation, and get back to business as usual, as quickly as possible.